diff --git a/lib/index.js b/lib/index.js
index 6929936b3..b89443ba6 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -174,9 +174,17 @@ module.exports = function(config_hash) {
 	app.put('/-/user/:argument/-rev/*', function(req, res, next) {
 		// can't put 'org.couchdb.user' in route address for some reason
 		if (req.params.argument.split(':')[0] !== 'org.couchdb.user') return next('route')
+
+		if (req.remoteUser == null) {
+			res.status(403)
+			return res.send({
+				error: 'bad username/password, access denied',
+			})
+		}
+
 		res.status(201)
 		return res.send({
-			ok: 'you are authenticated as "' + req.user + '"',
+			ok: 'you are authenticated as "' + req.remoteUser + '"',
 		})
 	})
 
diff --git a/lib/middleware.js b/lib/middleware.js
index 5955685db..4d08b70d6 100644
--- a/lib/middleware.js
+++ b/lib/middleware.js
@@ -39,14 +39,19 @@ module.exports.expect_json = function expect_json(req, res, next) {
 }
 
 module.exports.basic_auth = function basic_auth(callback) {
-	return function(req, res, next) {
+	return function(req, res, _next) {
+		function next(err) {
+			// uncomment this to reject users with bad auth headers
+			//return _next.apply(null, arguments)
+			
+			// swallow error, user remains unauthorized
+			return _next()
+		}
+
 		var authorization = req.headers.authorization
 
-		if (req.user) return next()
-		if (authorization == null) {
-			req.user = req.remoteUser = undefined
-			return next()
-		}
+		if (req.remoteUser != null) return next()
+		if (authorization == null) return next()
 
 		var parts = authorization.split(' ')
 
@@ -68,7 +73,7 @@ module.exports.basic_auth = function basic_auth(callback) {
 		, pass = credentials.slice(index + 1)
 
 		if (callback(user, pass)) {
-			req.user = req.remoteUser = user
+			req.remoteUser = user
 			next()
 		} else {
 			next({